Aligning Security With Business Objectives
PHYSICAL SECURITY PROFESSIONALS are regularly exhorted to speak the language of business and learn to communicate effectively with managers from other business units as well as C-level executives. Chief information security officers (CISOs) are getting the same advice from consulting firm PricewaterhouseCoopers (PWC) in a guidebook whose name will sound familiar to security managers: How to Align Security With Your Business Objectives.
The guidebook provides a five-step approach for CISOs to achieve success in their positions: assess, analyze, strategize, align, and communicate. PWC partner James Quinnild, one of the authors of the guidebook, says that the goal was to help CISOs succeed in a world that has changed dramatically from five years ago.
Back then, CISOs were “primarily technologists predominantly focused on keeping bad people out. Now we see them as significant protectors of the brand, leaders of risk management for the organization, at least within IT, as well as a significant part in most organizations’ compliance with regulations,” says Quinnild.
He notes that, like their physical security counterparts, CISOs “need to be able to define, in business terms, what the strategy for security is,” what activities or projects they are working on, and how these align with the organization’s goals.
CISOs also need to be communicating effectively with other business units to ensure an enterprise-wide view of risk management. Quinnild gives the example of security groups that are talking with marketing managers who want to collect customer data as a way to provide better customer services.
“The more information you collect, the more risk you’re incurring to the business if it ever gets compromised,” he says, “so you see a lot of marketing groups now working with security much more hand in hand and in a much more balanced conversation.”